• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Cyber warfare
  • Hacking
  • Intelligence
  • Terracotta VPN, the Chinese VPN Service as Hacking Platform

Terracotta VPN, the Chinese VPN Service as Hacking Platform

Pierluigi Paganini August 05, 2015

A Chinese-language Virtual Private Network service provider dubbed Terracotta VPN offers a network of compromised servers as a stealth hacking platform.

According RSA Security, a China-based virtual private network (VPN) service provider offers hacking crews a network of compromised servers which can be used to carry out stealth cyber attacks.

The attacks appear to be coming from legitimate IP addresses from organizations having a good reputation, making it difficult for the victim to identify the real source of the offensive.

The VPN service identified by RSA and dubbed by the company Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world.” Terracotta VPN is a commercial VPN service provider with over 1,500 nodes around the world, the majority of its servers are actually composed of compromised Windows systems belonging to SMBs.

“Terracotta’s network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim’s knowledge or permission.  New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.” RSA wrote in a report. ” “RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).””

Operators behind Terracotta VPN target Windows server running brute-force attack to crack an administrator’s password. Once discovered the admin credentials they disable the Windows firewall and any other security software, and then installs a remote access Trojan. The last step consists in the creation of a new administrative account on the server and the installation of a Windows VPN service.

RSA experts discovered that the majority of the servers owned by Terracotta consists of compromised machines located in China, Japan, South Korea, the United States, and some countries in Eastern Europe.

terracotta vpn

The list of victims is long, it also includes a Fortune 500 hotel chain, a hi-tech manufacturer, a doctor’s office, school and university systems, a law firm, and a county government for an unidentified U.S. state.

Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor’s office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA states in the report.

The name Terracotta VPN assigned to the malicious infrastructure is a clear reference to the Chinese Terracotta Army, hacker crews thought to be using Terracotta to run attacks remaining anonymous. The experts speculate that popular APT groups used it, including the “Shell_Crew” and “Deep Panda.”

RSA suspects state-sponsored hackers have leveraged at least 52 Terracotta VPN nodes to hit targets among private firms and government organizations. A report provided by a large defense contractor to RSA confirms that 27 different Terracotta VPN node Internet addresses were used in phishing campaigns targeting users in their organization.

“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%) were associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated. “Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”

RSA grouped victims in “three classes”,  the first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service, the second class includes more than 300 companies whose servers have been compromised, and the third group is composed of the organizations victims of the attacks through the Terracotta VPN.

Criminal organizations offering for rent network of compromised servers is not a novelty, what’s new is the commercial offer the Terracotta VPN, which is marketed under several different brands and websites but is run by a single commercial enterprise.

Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” states the report.

RSA reported its findings to the U.S.-based victims whose servers were part of the Terracotta VPN and it is also publishing the list of the malicious IP addresses and domain it has identified as part of Terracotta VPN infrastructure.

As explained by the popular security investigator Brian Krebs, RSA included a single screen shot of software used by one of the commercial VPN services carefully omitting any information that would allow to find the websites offering the Terracotta VPN.

One of the domains was identified in the report is 8800free[dot]info, good starting point for Krebs’investigation. Krebs is a master and I decided to propose an excerpt from the analysis to show you how to proceed in cases like this.

“A lookup at Domaintools.com for the historic registration records on 8800free[dot]info show it was originally registered in 2010 to someone using the email address “xnt50@163.com.” Among the nine other domains registered to xnt50@163.com is517jiasu[dot]cn, an archived version of which is available here.

Domaintools shows that in 2013 the registration record for 8800free[dot]info was changed to include the email address “jzbb@foxmail.com.” Helpfully, that email was used to register at least 39 other sites, including quite a few that are or were at one time advertising similar-looking VPN services.

Pivoting off the historic registration records for many of those sites turns up a long list of VPN sites registered to other interesting email addresses, including “adsyb@163.com,” “asdfyb@hotmail.com” and “itjsq@qq.com” (click the email addresses for a list of domains registered to each). Armed with lists of dozens of VPN sites, it wasn’t hard to find several sites offering different VPN clients for download. I installed each on a carefully isolated virtual machine (don’t try this at home, kids!).

None of the VPN clients I tried would list the Internet addresses of the individual nodes. However, each node in the network can be discovered simply by running some type of network traffic monitoring tool in the background (I used Wireshark), and logging the address that is pinged when one clicks on a new connection.” explained Krebs.

Pierluigi Paganini

(Security Affairs – Hacking, Terracotta VPN)


facebook linkedin twitter

China Deep Panda Hacking RSA state sponsored hackers Terracotta VPN Windows servers

you might also like

Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more
Pierluigi Paganini July 10, 2025
PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    Nippon Steel Solutions suffered a data breach following a zero-day attack

    Data Breach / July 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT